GuardAPI Logo
GuardAPI
Automated Security Protocol

How to fix Improper Assets Management
in Salvo

Executive Summary

Improper Assets Management in Salvo occurs when static file handlers are misconfigured or manually implemented without path normalization. This leads to Directory Traversal (CWE-22), allowing attackers to escape the intended directory and exfiltrate sensitive files like .env, Cargo.toml, or SSH keys. If your asset routing doesn't strictly validate boundaries, you're handing over the keys to the kingdom.

The Vulnerable Pattern

VULNERABLE CODE
use salvo::prelude::*;

#[handler]
async fn unsafe_serve(req: &mut Request, res: &mut Response) {
let file_name = req.param::(“file”).unwrap_or_default();
// VULNERABILITY: Manual path joining without normalization.
// An attacker can pass ’../../Cargo.toml’ to read the project manifest.
let path = format!(”./static/{}”, file_name);


match tokio::fs::read_to_string(&path).await {
    Ok(content) => res.render(content),
    Err(_) => res.status_code(StatusCode::NOT_FOUND),
}


}


#[tokio::main]
async fn main() {
let router = Router::with_path(“assets/“).get(unsafe_serve);
let acceptor = TcpListener::new(“127.0.0.1:5800”).bind().await;
Server::new(acceptor).serve(router).await;
}

The Secure Implementation

The vulnerable implementation manually interpolates strings into a path, which fails to account for '..' (parent directory) sequences. In Rust, `std::path::Path` does not automatically strip these sequences during joining. The secure version utilizes Salvo's 'StaticDir' middleware. This component is designed to strictly jail the file access within the specified root directory. By setting '.listing(false)', we also mitigate information disclosure risks where an attacker could otherwise browse the filesystem structure via a browser.

SECURE CODE
use salvo::prelude::*;
use salvo::serve_static::StaticDir;

#[tokio::main]
async fn main() {
// FIX: Use the built-in StaticDir middleware.
// It handles path normalization, prevents traversal, and manages MIME types.
let router = Router::with_path(“assets/<*path>”)
.get(
StaticDir::new([“static/”])
.defaults(“index.html”)
.listing(false) // Disable directory listing to prevent reconnaissance
);


let acceptor = TcpListener::new("127.0.0.1:5800").bind().await;
Server::new(acceptor).serve(router).await;


}

System Alert • ID: 5939
Target: Salvo API
Potential Vulnerability

Your Salvo API might be exposed to Improper Assets Management

74% of Salvo apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X